For the latest updates please refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Connecting the Fortigate

In order to connect the Fortigate to the network:

  • Ensure the modem or other ISP-provided equipment is in bridge mode. Anyone familiar with the local network setup will be able to assist with this.
  • Note: If the IP address is static, it will be necessary to load this information into the Fortigate.
  • Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or a switch connected to the router.
  • In most cases, the router can be accessed locally at 192.168.1.99

Configuring Addresses

  • Navigate to Policy & Objects

  • Scroll down and select the option Addresses

  • Fill in the options below like so:

    • Name: Cytracom Register

    • Color: blue [optional]

    • Type: Subnet

    • Subnet/IP Range: 209.105.249.0/24

    • Interface: Any

    • Show in Address List: (checked)

    • Comments: Cytracom VoIP [optional]

  • Adding a Tag is optional

  • Then hit OK at the bottom to save

  • Create additional address ranges for our other IPs

    • Failover Server - 184.175.130.161/27

    • Presence and Mobile Server (BLF) - 3.208.72.128/27

    • Firmware Server - 52.90.29.99

Fortigate_Edit_Address.png

Configuring Address Group

  • Navigate to Policy & Objects
  • Scroll down and select the option Addresses
  • Select Create New - Address Group
  • Fill in the options below like so:
    • Name: Cytracom VoIP
    • Color: blue [optional]
    • Members: Cytracom Register, Cytracom Failover, Cytracom BLF, and Cytracom FW.
  • After adding all addresses select OK at the bottom right. 

Fortigate_Address_Group.png

Creating Service 

  • Then to create a service object navigate to Policy & Objects
  • Scroll down and select the option Services
  • In services you find a section that is labeled as "VoIP, messaging & Other Applications" 
    • Click on the + sign to expand the menu and select the premade category "SIP" and then select "Edit"
  • Edit the SIP service to include the additional information below
    • Name: SIP
    • Color: Blue [Optional]
    • Show in Service List: Checked on
    • Category: VoIP, messaging & Other Applications
    • Protocol Type: TCP/UDP/SCTP
    • Address:
      • FQDN
      • cytracom.net
    • Destination Port
      • TCP 5060-5061
      • TCP 10000-30000
      • UDP 5060-5062
      • UDP 10000-30000
    • Specify Source Ports: Leave unchecked
    • Select OK at the bottom right

Fortigate_Service_SIP.png

Creating Incoming and Outgoing Policies

  • Then to create an Inbound and Outbound Policy navigate to Policy & Objects
  • Scroll down and select the option IPv4 Policy
  • Fill in the options below for the Inbound rule like so:
    • Name: Cytracom_Incoming [Optional]
    • Incoming Interface: WAN
    • Outgoing Interface: LAN
    • Source: Cytracom VoIP
    • Destination: all
    • Schedule: always
    • Service: SIP
    • Action: ACCEPT
    • NAT: On [toggled]
    • IP Pool Configuration: Use Outgoing Interface Address
    • Log Allowed Traffic: Enabled (optional)
    • Enable this policy: On [toggled]

Fortigate_Incoming_Rule.png

  • Fill in the options below for the Outbound rule like so:
    • Name: Cytracom_Outgoing [Optional]
    • Incoming Interface: LAN
    • Outgoing Interface: WAN
    • Source: all
    • Destination: Cytracom VoIP
    • Schedule: always
    • Service: all
    • Action: ACCEPT
    • NAT: On [toggled]
    • IP Pool Configuration: Use Outgoing Interface Address
    • Log Allowed Traffic: Enabled (optional)
    • Enable this Policy: On [toggled]

Fortigate_outgoing_Rule.png

  • To create a traffic shaper navigate to Policy & Objects
  • Scroll down and select the option Traffic Shapers
  • Click the option to add new
  • Fill in the options below for the Traffic Shaper like so:
    • Type: [Shared]
    • Name: "VoIP" [optional]
    • Traffic Priority: [Selection: High]
    • Guaranteed Bandwidth: [90kbps multiplied by the number of phones on the network]
    • DSCP: 101110
  • Scroll to the bottom and select OK to save

Fortigate_Traffic_Shaper.png

  • Then to create a Traffic Shaping Policy navigate to Policy & Objects
  • Scroll down and select the option Traffic Shaping Policy
  • Click the option to add new
  • Fill in the options below for the Traffic Shaping Policy like so:
    • Name: Cytracom_VoIP 
    • Status: Enabled
    • Source: Cytracom VoIP
    • Destination: All
    • Service: ALL
    • Outgoing Interface: Any
    • Shared Shaper: Enabled [Select: VoIP]
    • Reverse Shaper: Enabled [Select: VoIP]
  • Scroll to the bottom and select OK to save

Fortigate_Traffic_shaper_policy_inbound.png

  • Then to create the outbound Traffic Shaping Policy navigate to Policy & Objects
  • Scroll down and select the option Traffic Shaping Policy
  • Click the option to add new
  • Fill in the options below for the Traffic Shaping Policy like so:
    • Name: Cytracom_VoIP_Out 
    • Status: Enabled
    • Source: All
    • Destination: Cytracom VoIP
    • Service: ALL
    • Outgoing Interface: Any
    • Shared Shaper: Enabled [Select: VoIP]
    • Reverse Shaper: Enabled [Select: VoIP]
  • Scroll to the bottom and select OK to save

DNS and Web Filter

fortigate_dnsfilter.png

-----

fortigate_webfilter.png

Open the Terminal and input these commands via Putty or the built-in Command Line to set up the desired options.

Setting UDP Timeout to the desired value for SIP:

CLI_UDP_timeout.png

Disabling SIP ALG:

CLI_SIP_ALG_1.png

CLI_SIP_ALG_2.png

 

Was this article helpful?
9 out of 10 found this helpful